Commit 1f55614b authored by Cong Wang's avatar Cong Wang Committed by Khalid Elmously

llc: properly handle dev_queue_xmit() return value

BugLink: https://bugs.launchpad.net/bugs/1775771

[ Upstream commit b85ab56c ]

llc_conn_send_pdu() pushes the skb into write queue and
calls llc_conn_send_pdus() to flush them out. However, the
status of dev_queue_xmit() is not returned to caller,
in this case, llc_conn_state_process().

llc_conn_state_process() needs hold the skb no matter
success or failure, because it still uses it after that,
therefore we should hold skb before dev_queue_xmit() when
that skb is the one being processed by llc_conn_state_process().

For other callers, they can just pass NULL and ignore
the return value as they are.
Reported-by: default avatarNoam Rathaus <noamr@beyondsecurity.com>
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent d0ba94f3
...@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk); ...@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk);
/* Access to a connection */ /* Access to a connection */
int llc_conn_state_process(struct sock *sk, struct sk_buff *skb); int llc_conn_state_process(struct sock *sk, struct sk_buff *skb);
void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb);
void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb); void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb);
void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit); void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit);
void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit); void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit);
......
...@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_0(struct sock *sk, struct sk_buff *skb) ...@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_0(struct sock *sk, struct sk_buff *skb)
llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR);
rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
if (likely(!rc)) { if (likely(!rc)) {
llc_conn_send_pdu(sk, skb); rc = llc_conn_send_pdu(sk, skb);
llc_conn_ac_inc_vs_by_1(sk, skb); llc_conn_ac_inc_vs_by_1(sk, skb);
} }
return rc; return rc;
...@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk, ...@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk,
llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR); llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR);
rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac);
if (likely(!rc)) { if (likely(!rc)) {
llc_conn_send_pdu(sk, skb); rc = llc_conn_send_pdu(sk, skb);
llc_conn_ac_inc_vs_by_1(sk, skb); llc_conn_ac_inc_vs_by_1(sk, skb);
} }
return rc; return rc;
...@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk, ...@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_ackpf(struct sock *sk,
int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb) int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb)
{ {
struct llc_sock *llc = llc_sk(sk); struct llc_sock *llc = llc_sk(sk);
int ret;
if (llc->ack_must_be_send) { if (llc->ack_must_be_send) {
llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); ret = llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb);
llc->ack_must_be_send = 0 ; llc->ack_must_be_send = 0 ;
llc->ack_pf = 0; llc->ack_pf = 0;
} else } else {
llc_conn_ac_send_i_cmd_p_set_0(sk, skb); ret = llc_conn_ac_send_i_cmd_p_set_0(sk, skb);
return 0; }
return ret;
} }
/** /**
......
...@@ -30,7 +30,7 @@ ...@@ -30,7 +30,7 @@
#endif #endif
static int llc_find_offset(int state, int ev_type); static int llc_find_offset(int state, int ev_type);
static void llc_conn_send_pdus(struct sock *sk); static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb);
static int llc_conn_service(struct sock *sk, struct sk_buff *skb); static int llc_conn_service(struct sock *sk, struct sk_buff *skb);
static int llc_exec_conn_trans_actions(struct sock *sk, static int llc_exec_conn_trans_actions(struct sock *sk,
struct llc_conn_state_trans *trans, struct llc_conn_state_trans *trans,
...@@ -193,11 +193,11 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) ...@@ -193,11 +193,11 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)
return rc; return rc;
} }
void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb)
{ {
/* queue PDU to send to MAC layer */ /* queue PDU to send to MAC layer */
skb_queue_tail(&sk->sk_write_queue, skb); skb_queue_tail(&sk->sk_write_queue, skb);
llc_conn_send_pdus(sk); return llc_conn_send_pdus(sk, skb);
} }
/** /**
...@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit) ...@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit)
if (howmany_resend > 0) if (howmany_resend > 0)
llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
/* any PDUs to re-send are queued up; start sending to MAC */ /* any PDUs to re-send are queued up; start sending to MAC */
llc_conn_send_pdus(sk); llc_conn_send_pdus(sk, NULL);
out:; out:;
} }
...@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit) ...@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit)
if (howmany_resend > 0) if (howmany_resend > 0)
llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO;
/* any PDUs to re-send are queued up; start sending to MAC */ /* any PDUs to re-send are queued up; start sending to MAC */
llc_conn_send_pdus(sk); llc_conn_send_pdus(sk, NULL);
out:; out:;
} }
...@@ -340,12 +340,16 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16 *how_many_unacked) ...@@ -340,12 +340,16 @@ int llc_conn_remove_acked_pdus(struct sock *sk, u8 nr, u16 *how_many_unacked)
/** /**
* llc_conn_send_pdus - Sends queued PDUs * llc_conn_send_pdus - Sends queued PDUs
* @sk: active connection * @sk: active connection
* @hold_skb: the skb held by caller, or NULL if does not care
* *
* Sends queued pdus to MAC layer for transmission. * Sends queued pdus to MAC layer for transmission. When @hold_skb is
* NULL, always return 0. Otherwise, return 0 if @hold_skb is sent
* successfully, or 1 for failure.
*/ */
static void llc_conn_send_pdus(struct sock *sk) static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb)
{ {
struct sk_buff *skb; struct sk_buff *skb;
int ret = 0;
while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) { while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) {
struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb); struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);
...@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct sock *sk) ...@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct sock *sk)
skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb); skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb);
if (!skb2) if (!skb2)
break; break;
skb = skb2; dev_queue_xmit(skb2);
} else {
bool is_target = skb == hold_skb;
int rc;
if (is_target)
skb_get(skb);
rc = dev_queue_xmit(skb);
if (is_target)
ret = rc;
} }
dev_queue_xmit(skb);
} }
return ret;
} }
/** /**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment